Trust Assessment
openclaw-persistent-memory received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 12 findings: 9 critical, 0 high, 1 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Sensitive environment variable access: $HOME, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings12
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/SKILL.md:45 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/SKILL.md:68 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/SKILL.md:84 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/scripts/install.sh:43 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/scripts/install.sh:63 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/webdevtodayjason/openclaw-persistent-memory/scripts/mem-search.sh:5 | |
| CRITICAL | Shell Command Injection via unescaped user input in `search` function The `search` function in `scripts/mem-search.sh` constructs a JSON payload by directly interpolating user-provided query and type parameters into a string, which is then passed to `curl -d`. This allows an attacker to inject arbitrary shell commands by crafting the `query` argument with shell metacharacters (e.g., `$(command)` or backticks), leading to arbitrary code execution on the host system. User input must be properly escaped before being interpolated into shell commands or JSON strings. For JSON, use a tool like `jq -nc --arg query "$query" --arg type "$type" --argjson limit "$limit" '{"query": $query, "limit": $limit, "type": $type}'` to construct the JSON safely. For shell arguments, use `printf %q` or ensure variables are quoted correctly and not subject to shell expansion. | LLM | scripts/mem-search.sh:49 | |
| CRITICAL | Shell Command Injection via unescaped user input in `get_observation` function The `get_observation` function in `scripts/mem-search.sh` directly interpolates the user-provided `id` into the `curl` URL. If the `id` contains shell metacharacters (e.g., `;`, `&`, `|`, `$(...)`), an attacker can execute arbitrary shell commands on the host system. User input (`$id`) must be properly escaped before being used in a URL or as part of a shell command. For URLs, URL-encode the ID. For shell arguments, use `printf %q` or ensure variables are quoted correctly and not subject to shell expansion. | LLM | scripts/mem-search.sh:75 | |
| CRITICAL | Shell Command Injection via unescaped user input in `timeline` function The `timeline` function in `scripts/mem-search.sh` constructs a JSON payload by directly interpolating the user-provided `id` into a string, which is then passed to `curl -d`. This allows an attacker to inject arbitrary shell commands by crafting the `id` argument with shell metacharacters (e.g., `$(command)` or backticks), leading to arbitrary code execution on the host system. User input (`$id`) must be properly escaped before being interpolated into shell commands or JSON strings. For JSON, use a tool like `jq -nc --argjson id "$id" '{"observation_id": $id}'` to construct the JSON safely. For shell arguments, use `printf %q` or ensure variables are quoted correctly and not subject to shell expansion. | LLM | scripts/mem-search.sh:93 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/webdevtodayjason/openclaw-persistent-memory/scripts/install.sh:17 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/webdevtodayjason/openclaw-persistent-memory/package.json | |
| LOW | Reliance on external npm package for core functionality The `install.sh` script globally installs `openclaw-persistent-memory` from npm and copies its extension files. This introduces a supply chain risk as the security of the skill heavily depends on the integrity and security of this external, unvetted (in this context) npm package and its own dependencies. Malicious code in `openclaw-persistent-memory` or its dependencies could compromise the user's system. 1. **Audit `openclaw-persistent-memory`**: If possible, audit the source code of the `openclaw-persistent-memory` npm package and its dependencies for vulnerabilities or malicious behavior. 2. **Pin Dependencies**: Ensure that the `package.json` files for both the main skill and the extension use pinned versions (e.g., `1.2.3` instead of `^1.2.3` or `*`) to prevent unexpected updates that could introduce vulnerabilities. 3. **Integrity Checks**: Consider adding integrity checks (e.g., checksums) for downloaded packages if not relying solely on npm's integrity features. 4. **Least Privilege**: Review the permissions required by the `openclaw-persistent-memory` package and its extension to ensure they are not excessive. | LLM | scripts/install.sh:8 |
Scan History
Embed Code
[](https://skillshield.io/report/747c64987f4b960b)
Powered by SkillShield